Security News > 2021 > January > Sophos: Crypto-Jacking Campaign Linked to Iranian Company
An Iran-based software company is likely behind a recently identified crypto-jacking campaign targeting SQL servers, according to a report by British anti-malware vendor Sophos.
The attacks result in the MrbMiner crypto-miner being installed onto the target servers, with the software apparently created, controlled, and hosted by a named Iranian company.
The Sophos researchers note that they couldn't determine exactly how the infected database servers were compromised, but believes that the same techniques as those used in separate attacks featuring the Kingminer, Lemon Duck, or MyKings miners, might have been employed.
The attackers might have attempted to brute-force SQL servers and then load malicious components using SQL command scripts, or they might have relied on exploits for the EternalBlue vulnerability for lateral movement.
On the infected servers, the SQL Server process was observed launching a file called assm.
"We found the miner downloads in the web root of the vihansoft domain, in a repository under a now-shuttered Github user account, and on the mrbfile.xyz and mrbftp.xyz domains, as well as on a small number of IP addresses," Sophos notes.